I'm sure this is not the first post on this subject.
I have a customer who is using a well known cable modem provider in the U.S.A. Alabama area. The Fortigate is a FGT60D and the traffic load is low. Firmware 5.2.7. Wth all UTM features turned on. The CPU is running about 30% and the memory is about 30%, drive space is about 2%.
So here is the problem. I plug directly into cable modem with a laptop a gigabit Ethernet port I can get speeds of 100+ mbps.
If I run the same speed tests from behind the firewall I can get no more that 30-50 mbps. The interface is running clean. I set the MTU to 1486, the link is 1000 mbps no errors or discards.
MARC # diag hardware deviceinfo nic wan1
Driver Name :Fortinet NP4Lite Driver
Version :1.0.1
Admin :up
Current_HWaddr 08:5b:0e:fb:77:be
Permanent_HWaddr 08:5b:0e:fb:77:be
Status :up
Speed :1000
Duplex :Full
Host Rx Pkts :14016141
Host Rx Bytes :1368925816
Host Tx Pkts :4185891
Host Tx Bytes :704822715
Rx Pkts :14694625
Rx Bytes :2165812281
Tx Pkts :4712018
Tx Bytes :1193377881
rx_buffer_len :2048
Hidden :No
cmd_in_list : 0
promiscuous : 1
ANyone have any suggestions on how to increase the speed/throughput on the Fortigate?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I would start with disabling UTM features, start with none, then one and so forth.
Typically because the device is doing UTM there is active scanning happening during that test. When you are simply in the Cable Modem, there is none of that happening.
I have several 40, 60 and 100's in production and as the model is lower, the more i see some bandwidth getting cut off due to UTM features. Probably IPS being the biggest culprit.
Make sure you create your own UTM features based off the defaults to only use what you need.
Hope that helps.
Thanks for the input, I had already tried disabling everything possible without killing traffic flow and it did not make that much difference. The provider switched out their modem and it helped a little but I still believe there is a issue at layer 2-4. If I can get a 100 Mbps speed test from the modem then I should at least get an 80 Mbps test through the Fortigate. I ran the hardware diagnostic and it came back clean.
On another note it seems to be the same on all of my cable modem customers. I have even had some that will loose sync with the cable modem and just stop passing traffic. I can ping the gateway IP from the public side and I can ping the Gateway from the Fortigate side but the traffic will not pass through the connection, also the route goes down and will not come back up until one of the devices (Fortigate or Cable modem) has been rebooted. This is for several customers not just one. I've tried hard coding the speed and duplex, changing the MTU, and changed the port. zit is only on the cable modem connections nothing else.
How do you authenticate on the port to the modem? There is a known high speed-high CPU issue with low end FGTs if they are configured to run PPPoE in excess of 100 Mbps. The PPPoE protocol is run on the CPU which is not capable of high loads.
In contrast, running 1 Gbps IPsec is no problem CPU-wise even on small FGTs as the crypting load is offloaded to an ASIC.
There is no authentication it is all static connections.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.